The precise actions necessary for an effective program to prevent and detect
violations of law will depend upon a number of factors. Among the relevant
factors are:

(i) Size of the organization: The requisite degree of formality of a program to
prevent and detect violations of law will vary with the size of the organization:
the larger the organization, the more formal the program typically should be. A
larger organization generally should have established written policies defining
the standards and procedures to be followed by its employees and other
agents.

(ii) Likelihood that certain offenses may occur because of the nature of its
business: If because of the nature of an organization’s business there is a
substantial risk that certain types of offenses may occur, management must
have taken steps to prevent and detect those types of offenses. For example, if
an organization handles toxic substances, it must have established standards
and procedures designed to ensure that those substances are properly handled
at all times. If an organization employs sales personnel who have flexibility in
setting prices, it must have established standards and procedures designed to
prevent and detect price- fixing. If an organization employs sales personnel
who have flexibility to represent the material characteristics of a product, it
must have established standards and procedures designed to prevent fraud.

(iii) Prior history of the organization: An organization’s prior history may
indicate types of offenses that it should have taken actions to prevent.
Recurrence of misconduct similar to that which an organization has previously
committed casts doubt on whether it took all reasonable steps to prevent such
misconduct.

An organization’s failure to incorporate and follow applicable industry practice
or the standards called for by any applicable governmental regulation weighs
against a finding of an effective program to prevent and detect violations of
law.